潘钊 / bsth_control · Commits

Commit 94af6803f2f7b2263de5c33824603cd59204febd

Authored by 娄高锋
1 parent b22c203d

改掉sql拼接(sql注入漏洞)。 

# Conflicts:
#	src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
Inline Side-by-side
Showing 1 changed file with 130 additions and 55 deletions
src/main/java/com/bsth/service/schedule/impl/PeopleCarPlanServiceImpl.java
  View file @94af680
@@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -46,18 +46,27 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>(); 46 List<ScheduleRealInfo> list = new ArrayList<ScheduleRealInfo>();
47 47
48 try { 48 try {
49 - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = '"+date+"'"; 49 + List<String> objList = new ArrayList<String>();
  50 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str = ?";
  51 + objList.add(date);
50 52
51 - if(line.length() != 0)  
52 - sql += " and xl_bm = '"+line+"'";  
53 - if(company.length() != 0)  
54 - sql += " and gs_bm = '"+company+"'";  
55 - if(subCompany.length() != 0)  
56 - sql += " and fgs_bm = '"+subCompany+"'"; 53 + if(line.length() != 0){
  54 + sql += " and xl_bm = ?";
  55 + objList.add(line);
  56 + }
  57 + if(company.length() != 0){
  58 + sql += " and gs_bm = ?";
  59 + objList.add(company);
  60 + }
  61 + if(subCompany.length() != 0){
  62 + sql += " and fgs_bm = ?";
  63 + objList.add(subCompany);
  64 + }
57 65
58 sql += " order by gs_bm, fgs_bm, xl_bm"; 66 sql += " order by gs_bm, fgs_bm, xl_bm";
59 67
60 list = jdbcTemplate.query(sql, 68 list = jdbcTemplate.query(sql,
  69 + objList.toArray(),
61 new RowMapper<ScheduleRealInfo>(){ 70 new RowMapper<ScheduleRealInfo>(){
62 @Override 71 @Override
63 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 72 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -193,17 +202,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
193 } 202 }
194 203
195 try { 204 try {
196 -  
197 - String sql = "select * from bsth_c_s_sp_info where schedule_date = '"+date+"'"; 205 + List<String> objList = new ArrayList<String>();
  206 + String sql = "select * from bsth_c_s_sp_info where schedule_date = ?";
  207 + objList.add(date);
  208 +
198 if(line.length() != 0){ 209 if(line.length() != 0){
199 - sql += " and xl_bm = '"+line+"'"; 210 + sql += " and xl_bm = ?";
  211 + objList.add(line);
  212 + }
  213 + if(company.length() != 0){
  214 + sql += " and gs_bm = ?";
  215 + objList.add(company);
  216 + }
  217 + if(subCompany.length() != 0){
  218 + sql += " and fgs_bm = ?";
  219 + objList.add(subCompany);
200 } 220 }
201 - if(company.length() != 0)  
202 - sql += " and gs_bm = '"+company+"'";  
203 - if(subCompany.length() != 0)  
204 - sql += " and fgs_bm = '"+subCompany+"'";  
205 221
206 list = jdbcTemplate.query(sql, 222 list = jdbcTemplate.query(sql,
  223 + objList.toArray(),
207 new RowMapper<SchedulePlanInfo>(){ 224 new RowMapper<SchedulePlanInfo>(){
208 @Override 225 @Override
209 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 226 public SchedulePlanInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -601,19 +618,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -601,19 +618,25 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
601 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date()); 618 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
602 } 619 }
603 try { 620 try {
604 - 621 + List<String> objList = new ArrayList<String>();
605 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs," 622 String sql = "select schedule_date_str,xl_name,bc_type,gs_name,fgs_name,fgs_bm,bcs,"
606 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service" 623 +"fcno,fcsj,fcsj_actual,zdsj,zdsj_actual,bcsj,qdz_name,sp_id,cc_service"
607 - +" from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate  
608 - +"' and schedule_date_str <= '"+endDate+"'"; 624 + +" from bsth_c_s_sp_info_real where schedule_date_str >= ?"
  625 + +" and schedule_date_str <= ?";
  626 + objList.add(startDate);
  627 + objList.add(endDate);
  628 +
609 if(line.length() != 0){ 629 if(line.length() != 0){
610 - sql += " and xl_bm = '"+line+"'"; 630 + sql += " and xl_bm = ?";
  631 + objList.add(line);
611 } 632 }
612 if(company.length() != 0){ 633 if(company.length() != 0){
613 - sql += " and gs_bm = '"+company+"'"; 634 + sql += " and gs_bm = ?";
  635 + objList.add(company);
614 } 636 }
615 if(subCompany.length() != 0){ 637 if(subCompany.length() != 0){
616 - sql += " and fgs_bm = '"+subCompany+"'"; 638 + sql += " and fgs_bm = ?";
  639 + objList.add(subCompany);
617 } 640 }
618 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'"; 641 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
619 if(Integer.valueOf(bcType) == 1){ 642 if(Integer.valueOf(bcType) == 1){
@@ -622,6 +645,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -622,6 +645,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
622 sql += " and bc_type = 'region'"; 645 sql += " and bc_type = 'region'";
623 } 646 }
624 list = jdbcTemplate.query(sql, 647 list = jdbcTemplate.query(sql,
  648 + objList.toArray(),
625 new RowMapper<ScheduleRealInfo>(){ 649 new RowMapper<ScheduleRealInfo>(){
626 @Override 650 @Override
627 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 651 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -915,19 +939,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -915,19 +939,26 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
915 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date()); 939 endDate = new SimpleDateFormat("yyyy-MM-dd").format(new Date());
916 } 940 }
917 try { 941 try {
918 -  
919 - String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'"; 942 + List<String> objList = new ArrayList<String>();
  943 + String sql = "select * from bsth_c_s_sp_info_real where schedule_date_str >= ? and schedule_date_str <= ?";
  944 + objList.add(startDate);
  945 + objList.add(endDate);
  946 +
920 if(line.length() != 0){ 947 if(line.length() != 0){
921 - sql += " and xl_bm = '"+line+"'"; 948 + sql += " and xl_bm = ?";
  949 + objList.add(line);
922 } 950 }
923 if(nbbm.length() != 0){ 951 if(nbbm.length() != 0){
924 - sql += " and cl_zbh like '%"+nbbm+"%'"; 952 + sql += " and cl_zbh like ?";
  953 + objList.add("%" + nbbm + "%");
925 } 954 }
926 if(company.length() != 0){ 955 if(company.length() != 0){
927 - sql += " and gs_bm like '"+company+"'"; 956 + sql += " and gs_bm = ?";
  957 + objList.add(company);
928 } 958 }
929 if(subCompany.length() != 0){ 959 if(subCompany.length() != 0){
930 - sql += " and fgs_bm like '"+subCompany+"'"; 960 + sql += " and fgs_bm = ?";
  961 + objList.add(subCompany);
931 } 962 }
932 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'"; 963 sql += " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks'";
933 if(bcType.trim().equals("1")){ 964 if(bcType.trim().equals("1")){
@@ -937,6 +968,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -937,6 +968,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
937 } 968 }
938 969
939 list = jdbcTemplate.query(sql, 970 list = jdbcTemplate.query(sql,
  971 + objList.toArray(),
940 new RowMapper<ScheduleRealInfo>(){ 972 new RowMapper<ScheduleRealInfo>(){
941 @Override 973 @Override
942 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 974 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1206,20 +1238,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1206,20 +1238,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1206 isCancel = map.get("isCancel").toString().trim(); 1238 isCancel = map.get("isCancel").toString().trim();
1207 } 1239 }
1208 try { 1240 try {
  1241 + List<String> objList = new ArrayList<String>();
1209 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" + 1242 String sql = "select tt.id, tt.name from bsth_c_s_ttinfo tt left join" +
1210 " (select tt_info from bsth_c_s_sp_info where 1=1"; 1243 " (select tt_info from bsth_c_s_sp_info where 1=1";
1211 - if(startDate.trim().length() > 0)  
1212 - sql += " and schedule_date >= '"+startDate+"'";  
1213 - if(endDate.trim().length() > 0)  
1214 - sql += " and schedule_date <= '"+endDate+"'"; 1244 +
  1245 + if(startDate.trim().length() > 0){
  1246 + sql += " and schedule_date >= ?";
  1247 + objList.add(startDate);
  1248 + }
  1249 + if(endDate.trim().length() > 0){
  1250 + sql += " and schedule_date <= ?";
  1251 + objList.add(endDate);
  1252 + }
1215 if(line.trim().length() != 0){ 1253 if(line.trim().length() != 0){
1216 - sql += " and xl_bm = '"+line+"'"; 1254 + sql += " and xl_bm = ?";
  1255 + objList.add(line);
1217 } else { 1256 } else {
1218 return resList; 1257 return resList;
1219 } 1258 }
1220 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name"; 1259 sql += " ) sp on sp.tt_info = tt.id where sp.tt_info is not null group by tt.id, tt.name";
1221 1260
1222 resList = jdbcTemplate.query(sql, 1261 resList = jdbcTemplate.query(sql,
  1262 + objList.toArray(),
1223 new RowMapper<Map<String, Object>>(){ 1263 new RowMapper<Map<String, Object>>(){
1224 @Override 1264 @Override
1225 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 1265 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1261,18 +1301,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1261,18 +1301,28 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1261 date = sdf.format(new Date()); 1301 date = sdf.format(new Date());
1262 1302
1263 try { 1303 try {
  1304 + List<String> objList = new ArrayList<String>();
1264 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name," 1305 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1265 + " a.xl_bm, a.fgs_bm, a.cc_service, b.start_opt from bsth_c_s_sp_info_real a left join (select line, start_opt from bsth_c_line_config order by id desc) b on a.xl_bm = b.line" 1306 + " a.xl_bm, a.fgs_bm, a.cc_service, b.start_opt from bsth_c_s_sp_info_real a left join (select line, start_opt from bsth_c_line_config order by id desc) b on a.xl_bm = b.line"
1266 - + " where schedule_date_str = '"+date+"'" 1307 + + " where schedule_date_str = ?"
1267 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'"; 1308 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1268 - if(line.trim().length() != 0)  
1269 - sql += " and xl_bm = '"+line+"'";  
1270 - if(company.length() != 0)  
1271 - sql += " and gs_bm = '"+company+"'";  
1272 - if(subCompany.length() != 0)  
1273 - sql += " and fgs_bm = '"+subCompany+"'"; 1309 + objList.add(date);
  1310 +
  1311 + if(line.trim().length() != 0){
  1312 + sql += " and xl_bm = ?";
  1313 + objList.add(line);
  1314 + }
  1315 + if(company.length() != 0){
  1316 + sql += " and gs_bm = ?";
  1317 + objList.add(company);
  1318 + }
  1319 + if(subCompany.length() != 0){
  1320 + sql += " and fgs_bm = ?";
  1321 + objList.add(subCompany);
  1322 + }
1274 1323
1275 list = jdbcTemplate.query(sql, 1324 list = jdbcTemplate.query(sql,
  1325 + objList.toArray(),
1276 new RowMapper<ScheduleRealInfo>(){ 1326 new RowMapper<ScheduleRealInfo>(){
1277 @Override 1327 @Override
1278 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 1328 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -1532,19 +1582,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -1532,19 +1582,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
1532 } 1582 }
1533 1583
1534 try { 1584 try {
  1585 + List<String> objList = new ArrayList<String>();
1535 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_bm, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name," 1586 String sql = "select a.schedule_date_str, a.real_exec_date, a.xl_bm, a.xl_name, a.fcsj, a.fcsj_actual, a.zdsj, a.zdsj_actual, a.qdz_name, a.zdz_name, a.xl_dir, a.status, a.gs_name, a.fgs_name,"
1536 + " a.fgs_bm, a.cc_service, a.remarks, a.adjust_exps, b.start_opt from bsth_c_s_sp_info_real a left join (select line, start_opt from bsth_c_line_config order by id desc) b " 1587 + " a.fgs_bm, a.cc_service, a.remarks, a.adjust_exps, b.start_opt from bsth_c_s_sp_info_real a left join (select line, start_opt from bsth_c_line_config order by id desc) b "
1537 + " on a.xl_bm = b.line" 1588 + " on a.xl_bm = b.line"
1538 - + " where schedule_date_str >= '"+startDate+"' and schedule_date_str <= '"+endDate+"'" 1589 + + " where schedule_date_str >= ? and schedule_date_str <= ?"
1539 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'"; 1590 + " and bc_type != 'in' and bc_type != 'out' and bc_type != 'ldks' and bc_type != 'region'";
1540 - if(line.length() != 0)  
1541 - sql += " and xl_bm = '"+line+"'";  
1542 - if(company.length() != 0)  
1543 - sql += " and gs_bm = '"+company+"'";  
1544 - if(subCompany.length() != 0)  
1545 - sql += " and fgs_bm = '"+subCompany+"'"; 1591 + objList.add(startDate);
  1592 + objList.add(endDate);
  1593 +
  1594 + if(line.length() != 0){
  1595 + sql += " and xl_bm = ?";
  1596 + objList.add(line);
  1597 + }
  1598 + if(company.length() != 0){
  1599 + sql += " and gs_bm = ?";
  1600 + objList.add(company);
  1601 + }
  1602 + if(subCompany.length() != 0){
  1603 + sql += " and fgs_bm = ?";
  1604 + objList.add(subCompany);
  1605 + }
1546 1606
1547 list = jdbcTemplate.query(sql, 1607 list = jdbcTemplate.query(sql,
  1608 + objList.toArray(),
1548 new RowMapper<ScheduleRealInfo>(){ 1609 new RowMapper<ScheduleRealInfo>(){
1549 @Override 1610 @Override
1550 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException { 1611 public ScheduleRealInfo mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2150,24 +2211,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2150,24 +2211,30 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2150 // String code = map.get("code").toString(); 2211 // String code = map.get("code").toString();
2151 String type = map.get("type").toString(); 2212 String type = map.get("type").toString();
2152 2213
  2214 + List<String> objList = new ArrayList<String>();
2153 String sql_="select * from bsth_c_s_sp_info_real " 2215 String sql_="select * from bsth_c_s_sp_info_real "
2154 - + " WHERE schedule_date_str = '"+date+"' "; 2216 + + " WHERE schedule_date_str = ? ";
  2217 + objList.add(date);
  2218 +
2155 if(!line.equals("")){ 2219 if(!line.equals("")){
2156 - sql_ += " and xl_bm = '"+line+"'"; 2220 + sql_ += " and xl_bm = ?";
  2221 + objList.add(line);
2157 } 2222 }
2158 if(company.length() != 0){ 2223 if(company.length() != 0){
2159 - sql_ += " and gs_bm='"+company+"'"; 2224 + sql_ += " and gs_bm = ?";
  2225 + objList.add(company);
2160 } 2226 }
2161 if(subCompany.length() != 0){ 2227 if(subCompany.length() != 0){
2162 - sql_ += " and fgs_bm='"+subCompany+"'"; 2228 + sql_ += " and fgs_bm = ?";
  2229 + objList.add(subCompany);
2163 } 2230 }
2164 2231
2165 -  
2166 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj," 2232 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2167 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r" 2233 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as line_sch FROM ("+sql_+") AS r"
2168 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id "; 2234 + " order by r.gs_bm,r.fgs_bm,r.xl_bm,r.id ";
2169 2235
2170 List<Map<String, Object>> tempList = jdbcTemplate.query(sql, 2236 List<Map<String, Object>> tempList = jdbcTemplate.query(sql,
  2237 + objList.toArray(),
2171 new RowMapper<Map<String, Object>>(){ 2238 new RowMapper<Map<String, Object>>(){
2172 @Override 2239 @Override
2173 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2240 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2372,14 +2439,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2372,14 +2439,18 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2372 // String code = map.get("code").toString(); 2439 // String code = map.get("code").toString();
2373 String type = map.get("type").toString(); 2440 String type = map.get("type").toString();
2374 2441
  2442 + List<String> objList = new ArrayList<String>();
2375 String sql_="select * from bsth_c_s_sp_info_real " 2443 String sql_="select * from bsth_c_s_sp_info_real "
2376 - + " WHERE schedule_date_str = '"+date+"' and xl_bm = '"+line+"'"; 2444 + + " WHERE schedule_date_str = ? and xl_bm = ?";
  2445 + objList.add(date);
  2446 + objList.add(line);
2377 2447
2378 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj," 2448 String sql="SELECT r.id,r.schedule_date_str,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,r.fcsj,"
2379 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r" 2449 + " r.gs_name,r.fgs_name,CONCAT(r.xl_bm,'_',r.id) as gh_sch FROM ("+sql_+") AS r"
2380 + " order by r.xl_name,r.id "; 2450 + " order by r.xl_name,r.id ";
2381 2451
2382 List<Map<String, Object>> list = jdbcTemplate.query(sql, 2452 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2453 + objList.toArray(),
2383 new RowMapper<Map<String, Object>>(){ 2454 new RowMapper<Map<String, Object>>(){
2384 @Override 2455 @Override
2385 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2456 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {
@@ -2577,14 +2648,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2577,14 +2648,17 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2577 if(map.get("type")!=null) 2648 if(map.get("type")!=null)
2578 type = map.get("type").toString().trim(); 2649 type = map.get("type").toString().trim();
2579 2650
2580 - String sql_="select * from bsth_c_s_sp_info_real "  
2581 - + " WHERE schedule_date_str = '"+date+"' and j_gh = '"+jgh+"'"; 2651 + List<String> objList = new ArrayList<String>();
  2652 + String sql_ = "select * from bsth_c_s_sp_info_real "
  2653 + + " WHERE schedule_date_str = ? and j_gh = ?";
  2654 + objList.add(date);
  2655 + objList.add(jgh);
2582 2656
2583 if(!line.equals("")){ 2657 if(!line.equals("")){
2584 - sql_ +=" and xl_bm = '"+line+"'"; 2658 + sql_ +=" and xl_bm = ?";
  2659 + objList.add(line);
2585 } 2660 }
2586 2661
2587 -  
2588 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name," 2662 String sql="SELECT r.id,r.schedule_date_str,r.fcsj,r.xl_name,r.xl_bm,r.cl_zbh,r.j_gh,r.j_name,"
2589 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time," 2663 + " r.fcsj,d. TIMESTAMP,d.reply46,d.reply47,d.reply46time,d.reply47time,"
2590 + " r.gs_name,r.fgs_name FROM ("+sql_+") " 2664 + " r.gs_name,r.fgs_name FROM ("+sql_+") "
@@ -2593,6 +2667,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService { @@ -2593,6 +2667,7 @@ public class PeopleCarPlanServiceImpl implements PeopleCarPlanService {
2593 2667
2594 2668
2595 List<Map<String, Object>> list = jdbcTemplate.query(sql, 2669 List<Map<String, Object>> list = jdbcTemplate.query(sql,
  2670 + objList.toArray(),
2596 new RowMapper<Map<String, Object>>(){ 2671 new RowMapper<Map<String, Object>>(){
2597 @Override 2672 @Override
2598 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException { 2673 public Map<String, Object> mapRow(ResultSet rs, int rowNum) throws SQLException {